Explore a 41-minute conference talk from DEF CON that revives a supposedly resolved attack surface through novel exploitation techniques. Learn about a stealthy approach to applying malicious shims without registry modifications or SDB files, leaving no disk traces. Dive into reverse engineering of the shim infrastructure, focusing on undocumented APIs and kernel driver analysis. Discover offensive capabilities within the infrastructure and follow the development process of this unique technique. Examine groundbreaking research that reveals how to manipulate two distinct OS components for DLL injection and privilege escalation. Understand the exploitation of undocumented RPC interfaces in OfficeClickToRun.exe, enabling DLL injection into processes running with SYSTEM privileges. Master the specific conditions required for successful exploitation, including the strategic use of Opportunistic Lock and App Compatibility mechanisms.
Overview
Syllabus
DEF CON 32 - Manipulating Shim and Office for Code Injection - Ron Ben-Yizhak, David Shandalov
Taught by
DEFCONConference